To

From

Thank you

Sorry

Whatever the role, good communication regarding the duties and expectations of a security professional is key to that person’s success. That communication starts with a solid, thorough job description. It will be an important benchmark when hiring for the role, and a touch point for performance once the candidate is on board. The job description is also a baseline that helps security team managers keep pace as many roles evolve.

IT security engineer is a relatively new job title, with the responsibilities and scope still in flux. Its focus is on quality control within the IT infrastructure. This includes designing, building and defending scalable, secure, and robust systems; working on operational data center systems and networks; helping the organization understand advanced cyber threats; and helping to create strategies to protect those networks.

Those strategies generally include monitoring and protecting sensitive data and systems from intrusions. This person usually works as part of a larger IT team and reports directly to upper management.

Skills and competencies

This section outlines the technical and general skills required as well as any certificates or degrees that a company might expect an information security engineer to have. Key technical skills include:

The IT security engineer is also expected to know compliance standards such as ISO 27000, ISO 9001 and FedRAMP.

Industry specific requirements

Experts say that, as is usually the case in information security, the core skill and qualification requirements apply to all industries. The differences are generally in regard to compliance.

Eric Cissorsky, senior IT security specialist at UBC, says that since he works in healthcare, “my primary concern is HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) compliance.

“Other industries may be more concerned with requirements such as PCI-DSS (Payment Card Industry-Data Security Standard) for those taking payment over the Internet or FISMA for the government sector,” he says.

Chris Clark, Principal Security Engineer at Synopsys, says the need for different “soft skills” can vary by industry and company culture. “An individual's ability to cope with the stresses and rigors of each industry and the job role within that industry can vary greatly,” he says. “A candidate with excellent technical acumen may not have the soft skills necessary to transition from health care to let's say education or finance and vice versa. If you can show your ability to adapt you are ahead of the game.”

How to attract the best

According to Indeed, the average salary for a security engineer in the U.S. is $103,620. Other sources report the range to be as low as $60,000 to more than $200,000 a year.

Money is important to good candidates, but they also want to know the company supports their work. “Without a doubt, the most important thing I look for in an employer is a serious commitment to infosec from the executive level,” Cissorsky says. “Many organizations talk a good game when it comes to infosec, but lack follow through, so I look for policies and processes that show the organization is serious. Beyond that a meaningful commitment to continuing education is very important to me.”

Clark says that while perks such as unlimited vacation days, educational stipends and free lunch are nice, even they will go only so far, “before the real questions need to be addressed: Am I valued? Does the company care about my contribution and well being? What is next? Can I grow? These are just some of the questions that if a company can address they stand a much better chance of culling and keeping the best and brightest,” he says.